/**
* Verify the ocsp status of a certificate
*/
cert_status_t verify_by_ocsp(const cert_t *cert, time_t *until,
time_t *revocationDate,
crl_reason_t *revocationReason)
{
x509_t *x509 = (x509_t*)cert->cert;
chunk_t serialNumber = x509->get_serial(x509);
cert_status_t status;
ocsp_location_t location;
time_t nextUpdate = UNDEFINED_TIME;
*revocationDate = UNDEFINED_TIME;
*revocationReason = CRL_REASON_UNSPECIFIED;
/* is an ocsp location defined? */
if (!build_ocsp_location(cert, &location))
{
return CERT_UNDEFINED;
}
lock_ocsp_cache("verify_by_ocsp");
status = get_ocsp_status(&location, serialNumber, &nextUpdate
, revocationDate, revocationReason);
unlock_ocsp_cache("verify_by_ocsp");
if (status == CERT_UNDEFINED || nextUpdate < time(NULL))
{
plog("ocsp status is stale or not in cache");
add_ocsp_fetch_request(&location, serialNumber);
/* inititate fetching of ocsp status */
wake_fetch_thread("verify_by_ocsp");
}
*until = nextUpdate;
return status;
}
/*
* verify the ocsp status of a certificate
*/
bool
verify_by_ocsp(/*const*/ x509cert_t *cert, bool strict, time_t *until)
{
u_char status;
ocsp_location_t location;
time_t nextUpdate = 0;
/* is an ocsp location defined? */
if (!build_ocsp_location(cert, &location))
return FALSE;
lock_ocsp_cache("verify_by_ocsp");
status = get_ocsp_status(&location, cert->serialNumber, &nextUpdate);
unlock_ocsp_cache("verify_by_ocsp");
#ifdef HAVE_THREADS
if (status == CERT_UNDEFINED || nextUpdate < time(NULL))
{
openswan_log("ocsp status is stale or not in cache");
add_ocsp_fetch_request(&location, cert->serialNumber);
/* inititate fetching of ocsp status */
wake_fetch_thread("verify_by_ocsp");
return !strict;
}
#endif
switch (status)
{
case CERT_GOOD:
DBG(DBG_CONTROL,
DBG_log("certificate is good")
)
/* with strict crl policy the public key must have the
* same lifetime as the validity of the ocsp status
*/
if (strict && nextUpdate < *until)
*until = nextUpdate;
break;
case CERT_REVOKED:
plog("certificate is revoked");
remove_x509_public_key(cert);
return FALSE;
case CERT_UNKNOWN:
plog("certificate status unkown");
if (strict)
{
remove_x509_public_key(cert);
return FALSE;
}
break;
}
return TRUE;
}
/*
* verify if a cert hasn't been revoked by a crl
*/
static bool verify_by_crl(/*const*/ x509cert_t *cert, bool strict,
realtime_t *until)
{
x509crl_t *crl;
char ibuf[ASN1_BUF_LEN], cbuf[ASN1_BUF_LEN];
lock_crl_list("verify_by_crl");
crl = get_x509crl(cert->issuer, cert->authKeySerialNumber,
cert->authKeyID);
dntoa(ibuf, ASN1_BUF_LEN, cert->issuer);
if (crl == NULL) {
unlock_crl_list("verify_by_crl");
libreswan_log("no crl from issuer \"%s\" found (strict=%s)",
ibuf,
strict ? "yes" : "no");
#if defined(LIBCURL) || defined(LDAP_VER)
if (cert->crlDistributionPoints != NULL) {
add_crl_fetch_request(cert->issuer,
cert->crlDistributionPoints);
wake_fetch_thread("verify_by_crl");
}
#endif
if (strict)
return FALSE;
} else {
x509cert_t *issuer_cert;
bool valid;
DBG(DBG_X509,
DBG_log("issuer crl \"%s\" found", ibuf));
#if defined(LIBCURL) || defined(LDAP_VER)
add_distribution_points(cert->crlDistributionPoints,
&crl->distributionPoints);
#endif
lock_authcert_list("verify_by_crl");
issuer_cert = get_authcert(crl->issuer,
crl->authKeySerialNumber,
crl->authKeyID, AUTH_CA);
dntoa(cbuf, ASN1_BUF_LEN, crl->issuer);
valid = check_signature(crl->tbsCertList, crl->signature,
crl->algorithm, issuer_cert);
unlock_authcert_list("verify_by_crl");
if (valid) {
bool revoked_crl, expired_crl;
DBG(DBG_X509,
DBG_log("valid crl signature on \"%s\"", cbuf));
/* with strict crl policy the public key must have the same
* lifetime as the crl
*/
if (strict && realbefore(crl->nextUpdate, *until))
*until = crl->nextUpdate;
/* has the certificate been revoked? */
revoked_crl = x509_check_revocation(crl,
cert->serialNumber);
/* is the crl still valid? */
expired_crl = realbefore(crl->nextUpdate, realnow());
unlock_crl_list("verify_by_crl");
if (expired_crl) {
char tbuf[REALTIMETOA_BUF];
libreswan_log(
"crl update for \"%s\" is overdue since %s",
cbuf,
realtimetoa(crl->nextUpdate, TRUE,
tbuf, sizeof(tbuf)));
#if defined(LIBCURL) || defined(LDAP_VER)
/* try to fetch a crl update */
if (cert->crlDistributionPoints != NULL) {
add_crl_fetch_request(cert->issuer,
cert->crlDistributionPoints);
wake_fetch_thread("verify_by_crl");
}
#endif
} else {
DBG(DBG_X509,
DBG_log("crl is \"%s\" valid", cbuf));
}
if (revoked_crl || (strict && expired_crl)) {
/* remove any cached public keys */
remove_x509_public_key(cert);
return FALSE;
}
} else {
unlock_crl_list("verify_by_crl");
libreswan_log("invalid crl signature on \"%s\"", cbuf);
if (strict)
return FALSE;
}
}
return TRUE;
}
